public function nonceAction()
 {
     header('Content-Type: application/json; charset=UTF-8');
     header('Last-Modified: ' . gmdate('D, d M Y H:i:s \\G\\M\\T'));
     header('Expires: 0');
     header('Cache-Control: private, no-cache, no-store, must-revalidate');
     header('Pragma: no-cache');
     $user = isset($_GET['user']) ? $_GET['user'] : '';
     if (ctype_alnum($user)) {
         try {
             $salt = FreshRSS_Context::$system_conf->salt;
             $conf = get_user_configuration($user);
             $s = $conf->passwordHash;
             if (strlen($s) >= 60) {
                 $this->view->salt1 = substr($s, 0, 29);
                 //CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
                 $this->view->nonce = sha1($salt . uniqid(mt_rand(), true));
                 Minz_Session::_param('nonce', $this->view->nonce);
                 return;
                 //Success
             }
         } catch (Minz_Exception $me) {
             Minz_Log::warning('Nonce failure: ' . $me->getMessage());
         }
     } else {
         Minz_Log::notice('Nonce failure due to invalid username!');
     }
     //Failure: Return random data.
     $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
     $alphabet = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
     for ($i = 22; $i > 0; $i--) {
         $this->view->salt1 .= $alphabet[rand(0, 63)];
     }
     $this->view->nonce = sha1(rand());
 }
 public function nonceAction()
 {
     header('Content-Type: application/json; charset=UTF-8');
     header('Last-Modified: ' . gmdate('D, d M Y H:i:s \\G\\M\\T'));
     header('Expires: 0');
     header('Cache-Control: private, no-cache, no-store, must-revalidate');
     header('Pragma: no-cache');
     $user = isset($_GET['user']) ? $_GET['user'] : '';
     if (ctype_alnum($user)) {
         try {
             $salt = FreshRSS_Context::$system_conf->salt;
             $conf = get_user_configuration($user);
             $s = $conf->passwordHash;
             if (strlen($s) >= 60) {
                 $this->view->salt1 = substr($s, 0, 29);
                 //CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
                 $this->view->nonce = sha1($salt . uniqid(mt_rand(), true));
                 Minz_Session::_param('nonce', $this->view->nonce);
                 return;
                 //Success
             }
         } catch (Minz_Exception $me) {
             Minz_Log::warning('Nonce failure: ' . $me->getMessage());
         }
     } else {
         Minz_Log::notice('Nonce failure due to invalid username!');
     }
     $this->view->nonce = '';
     //Failure
     $this->view->salt1 = '';
 }
Beispiel #3
0
 private function auth_user($username, $password)
 {
     if (!function_exists('password_verify')) {
         include_once LIB_PATH . '/password_compat.php';
     }
     $user_conf = get_user_configuration($username);
     if (is_null($user_conf)) {
         return false;
     }
     if ($user_conf->apiPasswordHash != '' && password_verify($password, $user_conf->apiPasswordHash)) {
         Minz_Session::_param('currentUser', $username);
         return true;
     } else {
         return false;
     }
 }
Beispiel #4
0
 /**
  * Gives access to the current user.
  */
 public static function giveAccess()
 {
     $current_user = Minz_Session::param('currentUser');
     $user_conf = get_user_configuration($current_user);
     $system_conf = Minz_Configuration::get('system');
     switch ($system_conf->auth_type) {
         case 'form':
             self::$login_ok = Minz_Session::param('passwordHash') === $user_conf->passwordHash;
             break;
         case 'http_auth':
             self::$login_ok = strcasecmp($current_user, httpAuthUser()) === 0;
             break;
         case 'persona':
             self::$login_ok = strcasecmp(Minz_Session::param('mail'), $user_conf->mail_login) === 0;
             break;
         case 'none':
             self::$login_ok = true;
             break;
         default:
             // TODO: extensions
             self::$login_ok = false;
     }
     Minz_Session::_param('loginOk', self::$login_ok);
 }
Beispiel #5
0
function clientLogin($email, $pass)
{
    //http://web.archive.org/web/20130604091042/http://undoc.in/clientLogin.html
    logMe('clientLogin(' . $email . ")\n");
    if (ctype_alnum($email)) {
        if (!function_exists('password_verify')) {
            include_once LIB_PATH . '/password_compat.php';
        }
        $conf = get_user_configuration($email);
        if (is_null($conf)) {
            Minz_Log::warning('Invalid API user ' . $email . ': configuration cannot be found.');
            unauthorized();
        }
        if ($conf->apiPasswordHash != '' && password_verify($pass, $conf->apiPasswordHash)) {
            header('Content-Type: text/plain; charset=UTF-8');
            $system_conf = Minz_Configuration::get('system');
            $auth = $email . '/' . sha1($system_conf->salt . $email . $conf->apiPasswordHash);
            echo 'SID=', $auth, "\n", 'Auth=', $auth, "\n";
            exit;
        } else {
            Minz_Log::warning('Password API mismatch for user ' . $email);
            unauthorized();
        }
    } else {
        badRequest();
    }
    die;
}
Beispiel #6
0
 /**
  * This action resets the authentication system.
  *
  * After reseting, form auth is set by default.
  */
 public function resetAction()
 {
     Minz_View::prependTitle(_t('admin.auth.title_reset') . ' · ');
     Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js')));
     $this->view->no_form = false;
     // Enable changement of auth only if Persona!
     if (FreshRSS_Context::$system_conf->auth_type != 'persona') {
         $this->view->message = array('status' => 'bad', 'title' => _t('gen.short.damn'), 'body' => _t('feedback.auth.not_persona'));
         $this->view->no_form = true;
         return;
     }
     $conf = get_user_configuration(FreshRSS_Context::$system_conf->default_user);
     if (is_null($conf)) {
         return;
     }
     // Admin user must have set its master password.
     if (!$conf->passwordHash) {
         $this->view->message = array('status' => 'bad', 'title' => _t('gen.short.damn'), 'body' => _t('feedback.auth.no_password_set'));
         $this->view->no_form = true;
         return;
     }
     invalidateHttpCache();
     if (Minz_Request::isPost()) {
         $nonce = Minz_Session::param('nonce');
         $username = Minz_Request::param('username', '');
         $challenge = Minz_Request::param('challenge', '');
         $ok = FreshRSS_FormAuth::checkCredentials($username, $conf->passwordHash, $nonce, $challenge);
         if ($ok) {
             FreshRSS_Context::$system_conf->auth_type = 'form';
             $ok = FreshRSS_Context::$system_conf->save();
             if ($ok) {
                 Minz_Request::good(_t('feedback.auth.form.set'));
             } else {
                 Minz_Request::bad(_t('feedback.auth.form.not_set'), array('c' => 'auth', 'a' => 'reset'));
             }
         } else {
             Minz_Log::warning('Password mismatch for' . ' user='******', nonce=' . $nonce . ', c=' . $challenge);
             Minz_Request::bad(_t('feedback.auth.login.invalid'), array('c' => 'auth', 'a' => 'reset'));
         }
     }
 }